VyOS 1.2(Crux) EPA3 available to subscribers
The new VyOS 1.2.0-epa3 early is ready and available to subscribers
PowerDNS was updated to 4.1.8-2
StrongSWAN was updated to 5.7.2-1
FRRouting was updated to 6.0.2
A few vulnerabilities in PowerDNS recursor are fixed by the latest release, including CVE-2018-10851, CVE-2018-14626, and CVE-2018-14644. They would allow a remote attacker to crash the daemon by a specially crafted response, or, in one instance, a request, so everyone who uses DNS forwarding is advised to upgrade.
One possible instance of DoS in FRR’s BGP has been fixed as well
Multiple issues in the DMVPN implementation have been resolved. One issue caused the system to remove all SAs when a DMVPN peer went down, but it should be resolved now. Also, the “run show vpn ipsec sa” script is now capable of displaying DMVPN tunnels, and we hope it’s also more robust now.
If you experience any issues with DMVPN, or IPsec in general, please let us know.
CPU overload in VMware guests with large routing tables
Some people reported an issue with VMware tools causing a very high CPU load on machines with very large routing tables. Since many people use VyOS as a BGP edge router and receive full feeds, it could have a serious performance impact.
We have disabled data polling, which solved the performance problem, but it also prevents VMware VM data from updating when e.g. IP addresses of the VM change. The data set at config load time is displayed correctly so the impact of the change is limited.
We’ll keep looking into making data polling more granular.
Other issues we have resolved:
- Attempting to use NetFlow version 9 with engineid option no longer causes the daemon to stop (T1149).
- BGP redistribute static option is now converted from old syntax on upgrade from 1.1.8 (T1112).
- Modules for second-generation Hyper-V VM support are now enabled by default (T996).
- Quotes (as pseudo-HTML “"” entities) are now supported in DHCP shared-network-parameters option (T1129).
- The maximum size of completion data has been increased, the old value was too small for installations with particularly large numbers of e.g. firewall groups (T1068).
- GRUB menu works with serial console again (T1007).
- RAID1 support is fixed (T1120).
- An issue that could prevent deletion or editing of WireGuard tunnels was fixed (T1162).